Impacts of GDPR

25 May 2018 was, as we know, the day that the new law, the General Data Protection Regulation (GDPR), was enforced, but what will be the impact on businesses after that date?

It’s worth remembering that many of the requirements of the GDPR already exist in law in the existing Data Protection Act 1998 (DPA) so if an organisation already has a culture of respecting individual’s data and an operational approach which embraces the principles of the DPA, then the impact of the GDPR may not be as great as some of the commentary in the media on the subject suggests.

The GDPR does raise the bar though, particularly around transparency and what constitutes consent from individuals. Helpfully, the Information Commissioners Office has published excellent guidance on its website. Referring to the six principles of GDPR, they say that personal data should be:

Processed lawfully, fairly and in a transparent manner

Collected for specified, explicit and legitimate purposes

Adequate, relevant and limited to what is necessary

Accurate and where necessary kept up to date

Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which it was collected and is processed

Processed in a manner that ensures appropriate security of the personal data.

Accountability is central to GDPR. Organisations that process personal data are responsible for compliance with the principles and must be able to demonstrate this to data subjects (individuals) and, when and if necessary, to the regulator.

At the recent ICO Conference, Elizabeth Denham the Information Commissioner for the UK, said that the 25 May 2018 should not be viewed as a deadline or the end of a journey but as the beginning. She added that whilst full compliance with the GDPR might be a journey, it isn’t a holiday! And for me, here is where the impact will be felt for organisations. There is much more emphasis around record keeping, having appropriate data protection policies and maintaining records of why and under what legal basis personal data is being processed.

If the worst happens and for whatever reason action is taken by the regulator, yes there may be fines, but an even worse disruption for an organisation could be that the regulator instructs it to cease processing personal data. I’ve heard it said that trust is the new black and with heightened awareness and more rights for all of us in terms of how our data is obtained, stored and processed, breaking customers’ trust is likely to have the greatest impact on a business and its reputation.

For some excellent essential guidance and tools, I recommend you check out the Data Protection Network at https://www.dpnetwork.org.uk

Debbie McElhill is founder of Fresh Snow Consulting Limited and is working in association with Opt-4, the data protection consultancy which delivers practical solutions to the challenges and opportunities presented to businesses by data protection regulatory changes.